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[57] ABSTRACT 

Methods and apparatus for providing location certificates to 
certify the position or location of an object are disclosed. 
The position of the object is computed using radio signals 
and the secure transmission of the computed position is 
achieved using public key encryption techniques. 

20 Claims, 3 Drawing Sheets 
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METHOD FOR PROVIDING LOCATION requested position information is provided by a trusted 

CERTIFICATES location certification unit 

Three basic systems are set forth as exemplary embodi- 
FIELD OF THE INVENTION ments of the present invention, one with a basic location 
The invention rchtw to methods and apparatus for pny 5 certification unit (LCU), a second using a sensor, and a third 
viding reliable location certificates which iTused to prove °P eratm 8 00 4 W ^ — ^ ^een Sca- 
the geographic location of a particular object or event. More °°f "»*• sensor in fee LCU In addtboiL many vana&ons 
particularly, the invention relates to establishing to a andmodificabons of these systems amd^osed.juidofccrs 
requester that an object is being used in its restricted area of ln wo^ bereaddyap^t to theses^ in tte ^m these 

cal location, or that an event is confined* a partial aVea. individual to breach the security -offi the 

r system, as for example, by the use of sophisticated spoofing 

BACKGROUND AND SUMMARY OF THE techniques where false radio broadcasts on Loran or GPS 

INVENTION frequencies may be employed to cause the position deter- 

I* ruination unit to compute a position other than its actual 

It is frequently desirable or imperative to reliably know position. Hie systems of the present invention use tech- 

the precise location of an object, and to be able to determine niques and procedures to safeguard against such eventual!- 

that location on a reoccurring basis. The object may be ties. 

highly mobile or relegated to use in a confined area or ^„^ w „ nm 

confined areas. 20 BRIEF DESCRIPTION OF THE DRAWINGS 

Objects being transported by vehicle are highly mobile. FIG. 1 shows a first illustrative embodiment of a location 

With respect to such objects which are dangerous or certification unit; 

controlled, as for example toxic waste and nuclear materials, FIG. 2 shows another illustrative embodiment with a 

it is desirable to be able to reliably monitor their location mobile object; 

during transport between locations. Such monitoring may be 25 FIG. 3 shows a further illustrative embodiment operating 

continuous or may be from point-to-point with a two-way commiimcation link between a beacon and 

Digital signatures represent objects which may be a sensor at the LCU; 

intended to be used only in Highly localized areas. Digital FIG. 4 illustrates the signal timing between and within 

signatures involve the use of cryptographic keys to sign ^ units of the embodiment of FIG. 3; and 

messages. For legal or security reasons it is at times impor- FIG. 5 is a flow chart delineating the sequence of opera- 

tant to prove or establish that these digital signatures are tions performed in the FIG. 3 embodiment 
being generated within a particular jurisdiction, a specific 

complex, building or room For example, a digital signature DETAILED DESCRIPTION OF THE 

of a bank employee that is used in various bank transactions INVENTION 

would advantageously be confined to the location of a In public key encryption systems, the public keys of a user 

guarded bank facility. An employee's computer sign-on are the encryption keys published by the user that may be 

tokenrriaybeliniitedtouseata location such as used for privately communicating with the user. Anyone 

home or the office. For audit and billing purposes the wanting to privately communicate with the user simply 

location of requestors for access to sensitive material or ^ encrypts the message employing the users public encryption 

databases is needed. key. Only that user's secret decryption key can be used to 

There are other environments in which it is important to decipher the encrypted message, 

reliably know the location of an object A supplier of In cider to ensure that a specified public key is one that 

electronic broadcasts may need to screen certain locales to has actually been created by the specified individual, cer- 

bUck-out reception of certain sports broadcasts, concerts, 45 tificates arc provided Certificates can be thought of as brief 

etc.. or other signals such as electronic gambling events. In messages which arc signed by the trusted authority, and 

other instances, satellite decoder boxes limited to use in which contain, either explicitly or implicitly, a reference to 

licensed areas are needed. the public key which is being therein certified, and die 

The present invention uses unique location certificates to identity of the public key's owner. In such an 

track goods and wares during shipment, establish the loca- 50 implementation, if "C" has provided a certificate for "A"; 

uon of participants in a network, determine the location at then recipient can trust the use of "A's" public key, 

which a digital signature was performed, ascertain the provided that "B" trusts "C. 

validity of objects which are expected or mandated to be A location certification unit (LCU) as shown if FIG. 1 
present within certain geographic bounds and control the use includes a position determination unit (PDU) I coupled to a 
of security or sensitive devices by limiting their operation to 53 secure authorization unit (SAU) 2. The units 1 and 2, or at 
certain locations. least the sensitive components of the units, are contained in 
Determining the location of an object or event involves a tamper resistant enclosure in such a manner that tampering 
the employment of a position determination unit In accor- will trigger an alert signal and erasure of sensitive infarma- 
dance with an exemplary embodiment of the present tion such as authenticating keys stored in the unit Accel- 
invention, the position deterrnination unit operates on the 60 eration fuses can be used to prevent tampering through 
reception of Loran or Global Positioning System (GPS) subjecting the unit to acceleration or gravitational forces to 
signals to establish its location. The unit may continuously disturb a clock, if included in the unit As will be appreciated 
determine its position or compute its position on request A by those skilled in die art, the nature and degree of security 
secure authorization unit functions to authenticate the loca- and tamper resistant expedients incorporated into the system 
tion information reported to a requestor. Specifically, the 65 and components will correspond to the anticipated risks, 
secure authorization unit through the use of its private The PDU 1 includes conventional position fetermining 
digital signature key and a certificate authenticates that the apparatus for receiving Loran anoVor GPS signals and for 



08/16/2004, EAST Version: 1.4.1 



5,659,617 

3 4 

computing its position. The current location or position may used. Incorporating a LCU in a computer log-on card 

be continuously computed and maintained, or it may be designed to be limited to use at either the office or home, 

computed only in response to a request means that the defeat of the LCU would require sophisti- 

SAU 2 contains its own private digital signature key cated techniques such as generating false Loran or GPS 
stored in a secure probe-resistant memory 3. This private 5 signals to cause the PDU of the LCU to compute a fake 

key has a public aspect which is digitally signed by the P^o"- Moreover, the presence of other convenbonal safe- 

,™n„fc„*n~r n «JcX7l,M TZT ' ^ gnards such as personal identification number (PIN) or 

^^r!Xr7f 0 ^^^^Z^, Pa^word requirements to activate the card would provide 

vidingaceruficate indicahng tothe ^requestor that thepubhc Sgnificant layers of protection against the ordinary thief 

LCU TOs°crtS m? be ^dtofteT SstoRat to suocTssfully using the card. 

a part of the iS^cSE!^ sSK25l" A second anbodtoent of a LCU is Pearly usefulto 

rwXZce^. a f«, MMtwNl ^ i^^.i momtonng the location of a moving object Illustrated in 

processor 4 for processing data and control of internal - t Tf T rTT; e ;« » t™^™ hflU jn, 

functions , and a send/receive unit 5 for conmiunicating with S'J? 9 w^F ■ ♦ system having futures 

me requestor R. which make the location certificate spoof resistant, i.c, 

* i c resistant to being deceived into computing a false position. 

While theinvention is not limited to any partial digM The use of a highly accurate dock 6 in the sensor 7 of the 

signature key technique, one technique which can be u sed is LCU synchronized with a clock 12 of the beacon 10 serves 

the RSA technique of using a private digital signature key to to defeat spoofing of the system In this embodiment, each 

sign a message which die requestor or receiving party can beacon 10 is equipped with a private key a a shared private 

validate using the originator's public key, as described in ^ ^ ^ common among the beacons. Where beacons 

U.S. Pat. No. 4/105,829 issued to Rivest et aL In brief, an 20 share a common key, then each beacon is provided with its 

intended receiver's public key is made available to the ^ identification. The keys or identifications are 

sender, ix-^requestor, and is used for sending an racrypted maintained in a memory associated with processor 11. The 

message. Only die private decryption fey at die LCUs LCU has one or more sensors 7 mat have access to the 

receiver can decipher the message. The decryption key is beacons* public keys. A beacon's transmission includes 

then used to digitally sign a message which is sent to the ° digital authentication of the broadcast time and an indicator 

original sender or requestor. The recipient or requestor can of the beacon's identity. 

vaflytte signature by encrypting it wift tbx LOTspublic Under the foregoing conditions, and without the synchro- 

^. Whfieanyoneh^gmeLCUspubhckey can read the ^ ^^2^ a UlAbe spoofa, cannot 

signature, only the LCU signmg the message could have M suhsti £g% ^ a ^^^to confuse one beacon's signal 

, , with mat of another, nor accelerate ox formulate signals. One 

The certification is provided by me manuf acturer' s digital ^ however, copy a beacon* s transmis sion and rebroadcast 

signature which may be stored in memory at the SAU and it at some delayed interval or intervals. The system then has 

sent to the requestor. That is, the manufacture provides a nee d of means to prevent the reception or action on signals 

digital signature indicatiiig that the public key, used by the 35 mat are too distant or at wrong angular locations. This is the 

requestor, belongs to a trusted LCU, as described, for function of the synchronized clocks. 

Sfts tSSiS^^lZl!^ S£££ bcaCMS m m arfjitm « ****** ^ in the GPS or 

(which is hereby incorporated by reference).Trns certificate m m Lcran stations, position is determined using two, three 

c^Sio ^Hfi* aSapai ^ a*hcnti- or more beacons. A delayed rebroadcast of a true satellite 

catea location certificate. ^ DCac0 i 1 » s message from a false beacon would mean mat the 

In operation, the LCU (FIG. 1) in response to a request false beacon is located further out in space or on the other 
computes or determines its current position in the PDU 1, side of the Earth. In the latter case, sensing a different 
authenticates the reported position by supplying a digital beacon lying in a direction away from the apparent position 
signature 3a and a certificate 3b in the SAU 2, and sends the Q f the first observed beacons suffices to determine whether 
message to the requestor R. Additional Marmation 3c may 45 the computed position is true or false. In the former case, the 
be provided in the signed message, as for example, the aforementioned synchronized clocks are used to inhibit the 
current time/date stamp, the identity of an associate user, and reception and use of the false beacon, 
the challenge response information supplied by another With the synchronized clock system, each beacon pre- 
entity, eg., requestor. computes the digital signature and its time duration that is 

Verification of the digitally signed message is effected by 50 due to be transmitted at some precise time in the future. At 
use of the trusted manufacturer's public key. The manufac- the prescribed moment, the first bit of the precomputed 
turer* s public key is used by the requestor to determine that digital signature is transmitted. The balance of the message, 
a unit's public key is, in fact, in a certification hierarchy and including an authenticated time stamp, is of predictable 
is associated with a trusted LCU. This validation of the duration and is transmitted with each bit coming at a 
unit's public key is then used to verify the digital signature. 55 precisely tuned interval. The sensor or receiver at the LCU 
Any alteration of the digital signature is immediately determines, based on its internal clock, the exact moment the 
detected. Where multiple levels of certification are used, as transmission was received, and that each bit after the first bit 
in inventor's U.S. Pat No. 5,005,002 (which is hereby arrived on schedule. This need not be done in real time but 
incorporated by reference), the trusted key is used to chain the message may be stored and processed after it has been 
through the certification hierarchy to ultimately determine & fully received. The authenticated time stamps are verified 
thatmeumt'spubKckeyfc,^ usul g the public key associated with each beacon and 

LCU- compared with the sensor clocked time of receipt of the 

Installing LCUs in objects, e.g., digital signing devices, message. An additional time check can be made by consid- 
computer log-on cards, controls for broadcast receivers, or ering the differentials between beacons. The position of the 
smart cards for use with broadcast receivers, in combination 65 LCU is determined by using the time differentials between 
with means for disabling the use of such objects, provides each of the beacons, and the result is checked for consis- 
for control over the location at which the objects can be tency. The position computed by the differentials must agree 
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15 



with the time difference between the sensor's internal clock 
and that time broadcast by each of the beacons. The position 
of each beacon is known, from authenticated broadcasts or 
tables stared in the sensor, the speed of the transmitted radio 
signal is known, then the purported distance/time to each 
beacon can be calculated. The calculated times and the 
measured time differentials are compared to see that they are 
the same. 

The degree of accuracy of the clocks sets the degree of 
accuracy to which true or false signals can be detected. 
Therefore, the clocks must have accurate time intervals and 
must not drift over long periods of time. Drift problems can 
be minimized by resetting the clocks periodically, recali- 
brating the sensor clocks from master clocks at the beacons, 
using temperature controlled dock environments, and using 
very nigh quality accurate clocks or a multiple clock system. 
Where the docks are subject to strong gravitational fields or 
acceleration and run slower, the fact that the dock runs 
slower can be taken into consideration. Since the speed of 
light is one foot per nanosecond* the degree to which 20 
spoofing can be controlled is one mile per 5 microseconds of 
drift 

Id a third embodiment, illustrated in FIG. 3, the sensor 7 
relies on a beacon 10 with a confirmed position and the PDU 
1 determines its position as a function of being on a radius 
of the beacon. As in the previous embodiment, each sensor 
has a dock 6 synchronized with the dock 12 of the beacon, 
and maximum position is determined by measuring the time 
required to receive the beacon's signal The need for the high 
synchronization of the previous embodiment is reduced by 
using a two way communication path between a beacon and 
a sensor. Thus, the sensor 7 is provided with a transmitter $ 
compatible for communicating with a receiver 14 in the 
beacon 10. In addition, the beacon is provided with a 
processor 11 for controlling the transmission and formulat- 
ing a response. 

The sensor generates a random challenge number and 
transmits it to the beacon. The beacon constructs a response, 
induding its digital signature, the sensor's random challenge 
number and the beacon's position. The beacon's dock value 
and other beacon operating characteristics may also be 
included in the response. 

As illustrated in FIG. 4, each signal exchanged by the 
sensor and the beacon has a mark pulse which is the signal 
to which the time of transmission is associated and cali- 
brated. The mark pulse can be the first, the last or at any 
other distinguishable point in the transmission. The signal 
parts illustrated in FIG. 4 are identified as follows. 
S c — The observed value of the sensor's dock when the 50 

request is started. 
V D — The sensor emission time: the (known, previously 
calibrated) time interval between S 0 and the moment 
the mark pulse physically escapes from the sensor. This 
indudes whatever processing time is required to read 33 
the clock store the dock value, construct the request, 
etc. 

T^ — The duration of the request signal. 
T t — The time for the request signal to move from sensor 
to beacon. 

D L — The distance which the request signal traverses. 
M 1 — The moment the request's mark pulse impinges on 
the beacon. 

Vj — The beacon reaction time — the (known, calibrated) 
time required between M l and the moment the bea- 
con's clock value is observed. 



25 



30 



35 



40 



45 



60 



65 



Bi— The beacon dock value determined after the mark 

pulse is determined. 
B 2 — The beacon dock value at the end of transmission 

receipt. 

V 2 — The beacon trailing reaction time (to ddermine the 
clock value after the transmission is recognized as 
complete). 

— The overall beacon "processing time"— from the 
time a request signal impinges on the beacon, to the 
moment the response signal escapes. In the preferred 
embodiment, this time is known before the signal is 
actually computed — it is actually taken as a "given" 
which the beacon works to provide. 

P,— The time required by the beacon to process the 
signal, perform the digital signature, prepare the 
response, and schedule it for transmission. 

B 3 — The internal dock time which the beacon must 
observe in order to commence response emission. 

V 3 — The (known, calibrated) time which is spent by the 
beacon after observing a trigger dock value (say B3) 
until the response's mark pulse actually escapes the 
beacon. 

B 4 — The moment the mark pulse escapes the beacon. 
Tj— The time for the response signal to move from 

beacon to sensor. 
D 2 — The distance which the response signal traverses. 
V 4 — The (known, calibrated) sensor time reaction 

between the receipt of the response mark pulse, and the 

observation of the sensor's clock. 

5 2 — The sensor clock value observed after receiving the 
response mark pulse. 

V 5 — The (known, calibrated) sensor time reaction 
between the receipt of end of response, and the obser- 
vation of the sensor's dock. 

5 3 — The sensor's dock value after recognizing the end of 
the response. 

— The expected duration of the response transmission. 
Given these variables, the timing, illustrated in FIG. 4, 
and the processing, illustrated in FIG. 5, are as follows: 
1010 The sensor computes a challenge value, constructs 
the transmission request (of known length and duration 

1020 The sensor observes its dock (S Q ). 

1030 The sensor emits the request The calibrated time 
between step 1020 and the eventual emission of the 
mark pulse is a calibrated constant (V 0 ). 

1040 The signal impinges on the beacon at M x . 

1050 After recognizing the signal, the beacon observes its 
dock value (B^. The process requires known cali- 
brated time (V^Bi-Mj). 

1060 The beacon receives the balance of the transmission, 
and observes its dock value (B^ at the end. Checks 
may also be done to all intermediate transmission 
pulses to see that they are properly timed. 

1070 Validity checks are done. For example, the expected 
request transmission time (J 0 ) is checked against the 
observed time (B 2 -V 2 -(B 1 -V l )). 

1080 The beacon is designated to emit its response after 
a predictable duration (B^). Such duration must always 
exceed all possible expected intermediate computations 
and processing (preferably by some comfortable 
margin). B a can be constant, and characteristic of a 
class of beacons; or can be constant for each specific 
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beacon; or can be determined as part of each response 
(and therefore must be included as information as part 
of the response). In any event, whether constant or 
variable, the beacon must know (or compute) it prior to 
constructing the response. 5 
1090 The beacon constructs the response, consisting of, 
eg., 

a. The sensor's received challenge value. 

b. The beacon's Location. 

c. An indication of the Authority which Confirms the io 
the Location; possibly including a digital signature. 

Other information, such as, eg., 

d. Any clock value corresponding to a distinguishable 
beacon event In the embodiment shown, this is 
B 4 — the time the mark pulse is expected to escape. 15 
This is computed as: 

e. The beacon's public key and certificate. ^ 

f. An indication of the beacon's certifying authority. 

g. The beacon's identifier. 

h. The beacon's processing rime B^. 

L The beacon clock's accuracy, granularity, etc. 
j, The expected length of the response transmission. ^ 
k. When the location was set • 
. L Other beacon characteristics, 
m. Characteristics, or facts, about the Confirming 
Authority; including, for example, a digital signa- 



ture. 



30 



The beacon then digitally signs at least transmission 
fields a, b, c using the beacon's private key. 
1100 Hie beacon computes the moment 

when emission processing should commence for this 
response. 

1110 If the beacon handles multiple signals in parallel, 
then the response is queued until time B3; if the beacon 40 
handles requests serially, then the beacon simply waits 
until it observes clock value B 3 . 

1120 On observing clock value B 3 , the beacon com- 
mences to emit the already computed response, with 
expected duration of 45 

1130 The mark pulse associated with the response escapes 
the beacon at time B 4 , since the calibrated emission 
processing time after observing time B 3 until mark 
pulse escape is known to be V 3 . 

1140 Hie mark pulse impinges the sensor. 

1150 After recognizing the mark pulse, the sensor 
observes its clock and obtains reading S 2 . The time 
required to do this has been calibrated as V 4 . 
The balance of the response is accepted and verified as 55 
arriving under the expected time and signal constraints. 

1160 After receiving the end of the response, the sensor 
takes observed clock reading S 3 , which is calibrated as 
rearming V 5 seconds to accomplish. 

1170 The sensor then computes the response transmission 60 
duration 

and compares it with expected duration ss 
1180 If there is a mismatch, a fault is indicated, and the 
location operation may be re^erformecL 



50 



1190 The sensor validates the response: 
Verifies the beacon's digital signature. 
Verifies the beacon's public key (using, e.g., the bea- 
con's certificate) 
Insures it trusts the beacon or its certifier. 
Identifies and insures it trusts the Confirming Authority. 
Extracts the authenticated beacon position. 
1200 Using information about the beacon, supplied by the 
beacon or elsewhere, the sensor computes the signal 
transmit time r 

1210 Assuming the sensor was stationary during the 
signal exchange, and assuming the signal traveled at 
M c", the speed of light, then 

reasonably estimates the distance of the sensor from the 
beacon's known authenticated location. Even if the 
sensor moved during the exchange, the sensor must 
have been at least within this distance at some moment 
during the exchange. This estimate may need to be 
tempered using error estimates based on clock 
granularities, wavelengths used by the transmissions, 
and Inherent clock error bounds. 
1300 Based on this exchange, provided the beacon 
included its clock reading, say B 4 (see (d) in step 1090), 
the sensor is able to update its clock by an additive 
amount: 

with an accuracy of: 
pms^r-rninus (shV2Xc) 
•inherent clock granularities & errors 
+ttansrrrission signal frequency 
Where the first error term arises from the possibility 
that the sensor was moving toward or away from the 
beacon during the exchange. If the sensor is known to 
be fixed, such as using motion detectors to insure no 
movement occurs dining the exchange, then the first 
error term can be omitted. 
In the above example of this embodiment, the response 
includes the beacon's certificate in its transmission. 
However, the beacon's public key may be embedded in the 
sensor, or may be ascertained in other manners. Other 
authenticated digital information may incftyfo, the beacon's 
identity, expected response time, means by which the loca- 
tion information has been determined, the expected accuracy 
of the positional information, the authority responsible for 
determining the beacon's position, the level of security 
ascribed to the device, the time associated with the response 
mark signal, and the authority responsible for detenrrining 
the beacon's clock. 

In this embodiment, the precise position of the beacon is 
aliimtmgfectoronthe correctness of deterrnined position of 
the PDU. The position of the beacon can be determined by 
Loran, GPS or other radio based techniques, and it can be 
confirmed by a trusted calibrating authority. To insure that 
the beacon remains stationary once its position is 
established, movement sensors may be provided to generate 
an alert signal upon the sensing of movement or tampering . 
Where such a stationary beacon is moved for any reason, 
deliberately or by an earthquake, then the position must be 
redetermined and reconnrmed. 
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Where the beacon's position is confirmed by a calibrating 
authority, then the authority is responsible for certifying the 
accuracy of the position information. If the beacon deter- 
mines it own position from radio signals, then the calibrating 
authority can only be viewed as a confirming entity mat the 
beacon is a trusted beacon, and not one that may have been 
spoofed. Hence, certificates by calibrating authorities are 
constructed and appraised in accordance with the function of 
the calibrating authority, which may be indicated in the 
certificate. Moreover, identification of the calibrating 
authority in the certificate serve to inform the user of same 
the degree to which position information may be trustwor- 
thy. 

A stationary beacon may advantageously be used as a 
source to set a highly accurate clock in mobile LCUs. As in 
the example above, where the beacon includes its clock 
value B 4 as part of its response, men the mobile LCU can set 
its clock to a trusted accuracy with known error. With reject 
to high acceleration of the LCUs, an acceleration fuse would 
provide a part of the tamper resistant construction. 

While the digital signature has been described using the 
RSA algorithm, other algorithms such as DSA, symmetric 
or the protocols developed by Goldwasser and Micali or by 
Chaum may be employed. Moreover, the algorithms and/or 
protocols may be used in combination. 

While the invention has been described in connection 
with what is presently considered to be the most practical 
and preferred embodiment, it is to be understood that the 
invention is not to be limited to the disclosed embodiment, 
but on the contrary, is intended to cover various modifica- 
tions and equivalent arrangements included within the spirit 
and scope of the appended claims. 

What is claimed is: 

1. A secure method of establishing the location of an 
object by calculating in-situ the location of the object from 
received radio signals wherein the radio signals are received 
from a beacon via a two-way communication between the 
beacon and a sensor on the object, comprising 

computing and transmitting at said sensor a si gna l includ* 
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ing a challenge value and observing a dock associated ^ means 



4. A method as in claim 1 wherein said object includes a 
sensor with a accurate clock synchronized with a beacon 
clock and includes the step of receiving a time stamp from 
the beacon and comparing it with the sensor clock to 
authenticate the receipt of location information is from a 
valid beacon. 

5. A method as in claim 1 wherein said beacon and said 
sensor each include an accurate clock and includes the step 
of updating the sensor clock in accordance with the time 
stamp transmitted by the beacon. 

6. Apparatus for providing location certificates compris- 
ing 

a location certification unit for receiving radio signals 
from two or more beacons, 

said location certificate unit including position determi- 
nation means and secure authorization means, 

said secure authorization means including a private key of 
a private key-public key pair for digitally signing 
messages sent to a requesting source, a certificate far 
the public key certifying that the public key is in fact 
the public key of the secure authorization means, a 
clock synchronized with clocks in the beacons, means 
for receiving and processing a time stamp transmitted 
by a beacon, and means for determining from the time 
stamp and the clock in the secure authorization means 
that a received radio signal is from a valid beacon, 

said beacons providing radio signals from which said 
position determination means can compute its position 
and said secure authorization means can determine that 
the signals are valid, and 

means for sending to said requesting source upon request 
a digitally signed message including the computed 
position of said location certificate unit and the certifi- 
cate for the public key which public key is to be used 
by the requesting source to verify the signed message. 

7. Apparatus as in claim 6 further comprising m^ana for 
establishing a secure two-way communication link between 
each beacon and the sensor in the secure authorization 



with said sensor, 

recognizing at said beacon the transmitted sensor signal, 
observing at the beacon a clock associated with the 
beacon, constructing a response message including the 
sensor's received challenge value, the beacon's 
location, its location certificate and a time stamp, and 
transmitting the response message to said sensor, 

recognizing at said sensor said transmitted response 
message, observing the sensor clock, and validating the 
response message, computing the signal transit time 
and estimating the distance to the beacon, and based on 
the location of the beacon and the distance, calculating 
the location of the sensor and thereby the location of the 
object and 

transmitting in response to a request from a requestor a 
message comprising the digitally signed calculated 
location of the object 

2. A method as in daim 1 and including transmitting a 
certificate for the object in the message comprising the 
digitally signed calculated location of the object 

3. A method as in claim 1 wherein the clocks associated 
with the beacon and the sensor are synchronized and 
including, 

calculating the transit time from the tim<». s tamp and the 
observed time for receipt of the response message at the 
sensor and comparing this time with the computed 
signal transit time. 



8. Apparatus as in claim 6 wherein said location certifi- 
cation unit is a component of a digital signature device. 

9. Apparatus as in claim 6 wherein said location certifi- 
cation unit is a component of a satellite signal box. 

10. A location certification unit comprising a position 
determination unit, a secure authorization unit coupled to 
said position determination unit a memory within said 
secure authorization unit, a digital signature key stored in the 
form of digital data in said memory, said key having an 
associated public key, a certificate for said public key, said 
certificate being stored in said memory, a sensor for receiv- 
ing a message from a beacon that includes the clock time at 
which the message was transmitted and for processing the 
message to retrieve the clock time, the sensor including a 
clock, said position determination unit computing from the 
retrieved clock time and the time of sensing a received 
message as indicated by the sensor clock the radial distance 
the location certification unit is from the beacon thereby 
determining the location of the location certification unit as 

60 being within a geographical area centered on the beacon, and 
means for communicating to a requestor in response to a 
request the certified location of said location unit said 
certified location comprising the location as determined by 
said position determining unit signed with said digital sig- 
nature key and the certificate for said public key. 

11. A location certification unit as in claim 10 wherein 
said memory further stores a personal identification number 
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5,659,617 

11 12 

and a password and said location certification unit is a decrypting a sensed digitally signed radio signal with the 

component of a computer log-on card public key of the source of the signal to verify the identity 

12. A location certification unit as in claim 10 wherein the of the source and the tune at which the signal was trans- 
location certification unit is a component of a digital signa- rnitted. 

tare device. 5 17. a location certification unit as in claim 15 wherein 

13. A location certification unit as in claim 10 wherein the time differentials between the time the sensor clock marks a 
SetcS ^ tffiCad0n UDit * a componcnt of a 3atcUitc ^ sensed signal and the time at which the signal was sent with 

^ ^ _ 4 respect to a plurality of sources are used to calculate the 

n^^^!T^" , ? eBi ;! e portion of L location certification unit and each time 

ditontial is checked with Ae calculated rigi^trandtt^ 

clock, time at which toe message was transmitted; and said » . . , . . A . . ^ . . . 

sensor has stored therein the public key of mebeacon for ^ me calculated P 05 ^ 10 ^wn location of the 

verifying the clock time using the public key of the beacon. so ^f e ' . 

15. A location certification unit comprising; la A locallon certification unit as in claim 15 wherein 

apositkmdetenninanonunitfeffo^ « uU J K ^' capable of receiving and processing signals 

of the location certification unit froTr^d radio .*<™ »** »*> one source and said position 

gggggjg determining means determines the position of the location 

a secure authorization unit coupled to the position deter- ^f° n ^ on * C IDCSSagCS least two 

mination unit and comprising a memory, a sensor ° A * _„ . . . <0 . . A 

having a clock for provilngdock time, and means for 20 1^« Alocahon certification unit as in claim 18 wherein the 

commiimcating to a requestor in response to a request sourccs beaco^ and the location certification unit 

a message containing the certified position of the ftlimcr cam V^ses a transmitter for sending messages to a 

location certification unit as dctennined by the position beacon t^SS* mc beacon into transm itt ing a response 

deterrnination unit, * message that includes a time stamp, whereby it can be 

^r B Z^r"^1^°^JZ 25 ^^t^XtT^^by^S 

2tal < Sn^Sv aPU 388003,6(1 tte the mTstamp wS me sensor clock tiL /the toetf 

aigi signarure Key, receipt of the response message. 

said clock rnwiding a clock time for validating a received 20. A location certification unit as in claim 18 further 

radio signal, the signal containing the time at which it 30 comprising a transniitter for sending a message to a beacon 

was transmitted, sensed by the sensor as being from a that triggers the beacon into transrnitting a response message 

valid source, and that includes a time stamp, whereby the total time for the 

said certified position of the location certification unit sent message to travel to the beacon and the response 

cornprising (1) the position of the location certification message from the beacon to be sensed at the sensor, adjusted 

unit as determined by the position determination unit 35 for by beacon delay and internal location certification unit 

signed using the digital signature key and (2) the delay, is divided in half and compared with the difference 

certificate. between the dock time at the time of receipt of the message 

16. A location certification unit as in claim 15, said sensor and the time stamp to verify that the response message is 
farther comprising a processor for processing sensed radio valid. 

signals to provide die identity of the source of the signal 40 

where that information is contained in the signal, and for ***** 
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